[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2017-15712] Apache Oozie Server vulnerability
From: Rohini Palaniswamy <rohini () apache ! org>
Date: 2018-02-15 22:09:50
Message-ID: CABBupGWtC2vN-JzXWeuDaN-_bP6yzRJhK+DAfr=gSGLZJGbFCQ () mail ! gmail ! com
[Download RAW message or body]
Apache Oozie is a workflow scheduler system to manage Apache Hadoop jobs.
Severity: Severe
Vendor:
The Apache Software Foundation
Versions Affected:
Oozie 3.1.3-incubating to Oozie 4.3.0
Oozie 5.0.0-beta1
Description:
Vulnerability allows a user of Oozie to expose private files on the Oozie
server process. The malicious user can construct a workflow XML file
containing XML directives and configuration that reference sensitive files
on the Oozie server host.
Mitigation:
Users should upgrade to Apache Oozie 4.3.1 release from
http://oozie.apache.org/ .
Users should use 5.0.0-beta1 release only for testing purposes and wait for
the 5.0.0 GA which will have the fix.
Credit:
The issues were discovered by Daryn Sharp and Jason Lowe of Oath (formerly
Yahoo! Inc).
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic